Advances in Network Services Chain

Network Service Chaining in Fog and Cloud

Computing for the 5G Environment:
Data Management and Security Challenges
Rajat Chaudhary, Neeraj Kumar, and Sherali Zeadally

The authors present Abstract tation and storage. Each device (smart object)
an architecture that has its own unique IP address for communicating
integrates cloud and fog In the last few years, we have seen an expo- with the other devices. Compared to IoT, cloud
computing in the 5G nential increase in the number of Internet-enabled computing has a centralized architecture in which
devices, which has resulted in popularity of fog various data service providers are used to reduce
environment that works and cloud computing among end users. End users data warehousing costs while providing virtually
in collaboration with expect high data rates coupled with secure data unlimited storage space. In contrast, IoT is a dis-
advanced technologies access for various applications executed either at tributed architecture and acts as a data receiver
such as SDN and NFV the edge (fog computing) or in the core network with limited storage capacity.
with the NSC model. The (cloud computing). However, the bidirectional As per the CISCO report [1], by 2020, the IoT
data flow between the end users and the devic- will be made up of nearly 50 billion devices con-
NSC service model helps es located at either the edge or core may cause nected to the Internet (from 500 million in 2003,
to automate the virtual congestion at the cloud data centers, which are 12.5 billion in 2010, and 25 billion in 2015). The
resources by chaining in a used mainly for data storage and data analytics. massive amount of data generated from the IoT
series for fast computing The high mobility of devices (e.g., vehicles) may devices is stored at the cloud data centers (DCs),
in both computing tech- also pose additional challenges with respect to which exponentially increases the load on the
data availability and processing at the core data network. Network congestion is a major chal-
nologies. The proposed centers. Hence, there is a need to have most of lenge for processing large amounts of data from
architecture also supports the resources available at the edge of the net- different geo-distributed database repositories.
data analytics and man- work to ensure the smooth execution of end-user The other issues related to data processing at the
agement with respect to applications. Considering the challenges of future DCs include slow data rates, low bandwidth, high
device mobility. user demands, we present an architecture that end-to-end latency, high cost, fault tolerance, and
integrates cloud and fog computing in the 5G security. Due to these challenges, real-time data
environment that works in collaboration with the analytics on large amounts of data becomes a
advanced technologies such as SDN and NFV challenging task. To meet the requirements of
with the NSC model. The NSC service model higher capacity and higher data rates for most
helps to automate the virtual resources by chain- real-time business applications, fifth generation
ing in a series for fast computing in both com- (5G) technology has emerged.
puting technologies. The proposed architecture To improve the performance of cloud DCs, a
also supports data analytics and management new infrastructure model called a cloudlet (cloud
with respect to device mobility. Moreover, we servers) has become popular. The cloudlet model
also compare the core and edge computing with makes the cloud DCs’ capabilities accessible at
respect to the type of hypervisors, virtualization, the edge of the mobile network, also known as
security, and node heterogeneity. By focusing on mobile edge computing (MEC) or fog computing
nodes’ heterogeneity at the edge or core in the (FC), which is considered as the future evolution
5G environment, we also present security chal- of cloud computing. To address the above chal-
lenges and possible types of attacks on the data lenges, fifth generation (5G) technology works
shared between different devices in the 5G envi- in collaboration with other promising technolo-
ronment. gies such as- software-defined networking (SDN),
network functions virtualization (NFV), network
Introduction service chaining (NSC), and massive mutiple-input
Cloud computing and the Internet of Things (IoT) multiple output (MIMO) technology [2] in order
have become popular with the exponential usage to provide high quality of service (QoS) to smart
of smart devices in recent years. Cloud computing objects.
is a platform for data storage, analytics, visualiza- The NSC service model integrates SDN and
tion, and shared pools of resources located across NFV services in order to perform fast computa-
the globe through which various services can be tion of services in the 5G network with the help
accessed from anywhere using the Internet. On of different types of network and communicat-
the other hand, IoT provides connectivity to var- ing protocols. The types of network connectivity
ious smart devices that can be used for compu- used by the NSC model includes cellular tech-
Digital Object Identifier:
10.1109/MCOM.2017.1700102 Rajat Chaudhary and Neeraj Kumar are with Thapar University; Sherali Zeadally is with the University of Kentucky.

114 0163-6804/17/$25.00 © 2017 IEEE IEEE Communications Magazine • November 2017

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY KURUKSHETRA. Downloaded on April 25,2022 at 17:59:56 UTC from IEEE Xplore. Restrictions apply.
 Cloud computing Fog computing (edge computing) End point terminal network devices
Cloud data storage Fog layer Small cell
node Cluster 1

Specialist applications Secure infrastructure

Fog-cloud Temporary relevant
Eg: business applications, communication information storage
SaaS links
web services, multimedia Edge l
tua n
communication Mu ticatio Dense
links h e n
Cloud aut /SS
L mobile data
Software platform gateway 1 TLS ssion access
se
PaaS Eg: virtual desktop, Wireless
queue, database Fog Edge access point Adversary Device to
gateway 1 gateway 1 device
Radio TLS/SSL connection
Infrastructure tower session
Cloud
IaaS gateway 2 l
Eg: computation virtual Edge Mutuaation
machines tic
Fog gateway K authen Small cell/hetnet
gateway N
Cloud Adversary
gateway M Intellligent
Hardware edge nodes
Geographical Cluster P
Physical Eg: CPU, memory, hard distributed edges Nano data
machines disk, processors Mini data Micro data Response: milliseconds
center center
center
Back end: data center (TB-ZB size)
Response: few minutes Fog instance (High data rate, low latency, higher
(slow data rate, lower capacity, very high latency, (boundary) capacity, low cost, real-time analytics)
high cost)

Layer 3: upper layer Layer 2: middle layer Layer 1: bottom layer

Figure 1. Detailed system architecture for integration of cloud, fog, and end point terminals.

nologies, Wi-Fi networks, and small cell base Contributions of This Work
stations (e.g., femtocells, picocells, macrocells) We summarize the main research contributions of
[2] deployed to provide services to the smart this work as follows:
objects. Moreover, the NSC model uses com- • We propose a system architecture that
munication protocol such as: OpenFlow, rout- enables the integration of cloud and fog
ing protocol for low-power lossy-networks (RPL) computing in context with NSC.
for routing, Constrained Application Protocol • In the context of the 5G environment, we
(CoAP) for messaging, and transport layer secu- present a unified NSC model in SDN and
rity (TLS) for providing security [1] to enable the NFV architecture for increasing the response
operations of smart objects. time on the cloud computing and FC model.
The integration of the cloud computing model • We explore a security model for protecting
and the FC model with IoT in the 5G network the cloudlet mesh from DDoS attack by
environment opens up various security challeng- using a Kerberos authentication server.
es. Risks and possible attacks, such as distributed The rest of the article is organized as follows.
denial of service (DDoS, at the nearby cloudlet We describe cloud computing in the 5G environ-
instead of the remote DCs exist. The perpetrator ment. We describe virtualization and its needs.
(attacker) using mobile devices can make services We discuss fog computing and its integration with
unavailable by disrupting the cloudlet services in cloud computing and IoT in the 5G environment.
order to compromise the QoS of the edge devic- DDoS attacks and their impact on the proposed
es. In a cloudlet mesh architecture, the authenti- architecture is evaluated. Finally, the article is con-
cation of mobile devices is mandatory in order to cluded.
prevent DDoS attacks. In this context, Kerberos,
a secure reliable authentication server [3], checks Cloud Computing in the
the authenticity of every mobile device and gener-
ates the ticket to access services from the cloudlet 5G Environment
mesh. For every cloudlet at a distinct location, The traditional cellular radio access network
Kerberos is implemented in our proposed archi- (RAN) architecture has limited spectral efficiency
tecture to protect the cloudlet servers from possi- and causes frequency reuse interference issues
ble DDoS attacks. among adjacent cells. The modern cloud RAN
Figure 1 shows the proposed architecture of (CRAN) architecture used in 3G/4G uses technol-
cloud, fog, and end terminal devices. We have ogies like dense wavelength-division multiplexing
divided the proposed system architecture into the (DWDM), and millimeter-wave (mmWave) [4]
following three layers, discussed below: for delivering high performance. Although CRAN
• Bottom Layer (Layer 1). Endpoint terminal uses the cloud computing capabilities for virtu-
devices alizing the operations of base stations, it still has
• Middle Layer (Layer 2). Fog/edge computing limited capacity and incurs long delay. In order
model to upgrade the overall performance, 5G tech-
• Upper Layer (Layer 3). Cloud computing nology uses heterogeneous networks (HetNets)
model that combine different RANs and distinct small
The detailed description of these layers is provid- cells to address the issues of capacity, coverage,
ed in the coming sections. and delay. Different CRANs use networks such

IEEE Communications Magazine • November 2017 115

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY KURUKSHETRA. Downloaded on April 25,2022 at 17:59:56 UTC from IEEE Xplore. Restrictions apply.
 Network service chaining Internet of Things
Cloud Fog computing devices
computing
Service classifier/SDN controller Multiple-
SDN OpenFlow hop
SDN controller switches Fog devices
applications 5G Single-
radio hop
Cloud Cloudlet tower
gateway/
ingress Egress D2D
router SDN router WAP

Network functions virtualization V2V

5G MBS
platform
Edge
Firewall TCP NAT gateway Small cell
optimization node
Massive MIMO
Video Traffic Video antenna
transcoding shaping optimizer NSC carrier grade
NSC functions
(service chaining)

Figure 2. Network service chaining model in 5G wireless architecture.

as: High-Speed Packet Access (HSPA), Glob- IaaS incorporates the provision of physical assets
al System for Mobile Communication (GSM), in various forms such as physical machines (PMs),
enhanced data rates for GSM evolution (EDGE), network devices, virtual machines (VMs), storage
code-division multiple access (CDMA), and Wi-Fi disks, and load balancers.
[4]. Small cells are low-power nodes (LPNs) with The underlying layer of IaaS is the physical
low cost and have a coverage range of femtocells hardware on which end users can install their
for buildings, picocells and microcells for dense application software and OS. Examples of IaaS are
areas such as shopping malls, railway stations, and Google compute engine, HP Cloud, SQL Azure,
hospitals, and macrocells for large coverage areas and Amazon S3 [5]. In [6], John et al. proposed a
used in vehicular networking and smart cities [2]. solution to improve the network performance at
The small cell, CRAN, and HetNet architec- the cloud to the edge devices by focusing on the
tures have challenges (related to inter-cell inter- NSC model in terms of carrier-grade infrastructure
ference mitigation, high energy consumption, and networks. The detailed description of the NSC
low spectral efficiency) that affect data manage- model is discussed in the next section.
ment in cloud computing. The concept of het-
erogeneous CRAN (H-CRAN) services with 5G Network Service Chaining Model in 5G
architecture was introduced to overcome the NSC is a flexible service model used in SDN and
challenges of CRAN and HetNets. H-CRAN uses NFV to automate virtual network devices instead
orthogonal frequency-division multiple access of manual connections. NFV is the ability to
(OFDMA) to improve the frequency and time perform network slicing that allows the virtual-
domain variations. In [4], Peng et al. proposed ization of a physical network to create a logical
a scheme known as soft fractional frequency network that consists of device instances. Some
reuse (S-FFR) for reusing frequency that is free examples of middlebox NFV functions are intru-
from interference, which improves the energy and sion detection and prevention system (IDS/IPS),
spectral efficiency in H-CRAN. firewalls, network address translation (NAT), video
transcoding, TCP optimization, TCP proxy, traffic
Cloud-Based Architecture shaping, and load balancing [6].
Cloud computing relies on DCs (groups of SDN is a promising technology that helps
servers) to ensure control and management of to simplify network design and management. It
resources by shifting data at a centralized loca- relies on software-based programming rather than
tion. The DCs troubleshoot servers locally and hardware-based, thereby enabling software recon-
remotely with physical security authentication pro- figuration for upgrading network policies. SDN
tocols such as Lightweight Directory Access Proto- consists of three planes: the data plane (Open-
col (LDAP). Figure 1 shows the cloud computing Flow switches), the control plane (SDN control-
model comprising services such as software as a ler), and the application plane. All the network
service (SaaS), platform as a service (PaaS), and policies are programmed at the SDN controller,
infrastructure as a service (IaaS). SaaS is used in and these policies are reflected at both the appli-
software licensing, delivering web services, and cation and data planes [2].
business applications. SaaS examples include Figure 2 shows the NSC model in the 5G net-
Google Docs, Google apps, Microsoft Office 365, work where the cloud and FC are integrated to
Salesforce CRM [5], and so on. PaaS allows the serve IoT devices. NSC performs data flow pro-
application developers to develop their own appli- cessing using the service chaining model con-
cations online, without being required to set up nected by using SDN-based approaches. Data
and manage individual hardware and software is transmitted from the core DCs with the help
layers. Examples of PaaS providers include Goo- of the ingress router and gateway to the edge
gle appengine, Windows azure, and salesforce. devices. For monitoring the global traffic, an SDN

116 IEEE Communications Magazine • November 2017

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY KURUKSHETRA. Downloaded on April 25,2022 at 17:59:56 UTC from IEEE Xplore. Restrictions apply.
 controller works with the NFV platform. In Fig. • Fully Virtualized Hypervisor: It installs all the To get fast response
2, the dark orange line represents a continuous hardware drivers and software for detecting
chain of network functions that combine a series malicious instructions that attempt to update time, with respect to
of carrier-grade networks to automate the virtual the hardware. VMware ESXi is a variant of resource depletion, off-
functions of the network resources and to pro- the fully virtualized hypervisor.
vide high QoS to the IoT devices using an egress • Hybrid Model Hypervisor: One of the pop- loading of computation
router. The aim of the NSC model is to reduce ular variants of this category is the kernel services to the nearby
the capital expenditure (CAPEX) and operational VM (KVM), which enables the virtualization cloud resources is
expenditure (OPEX), enable quick failure recov- capabilities for the guest processing and
ery, and simplify the installation/modification of input/output (I/O) scheduling. required. In this context,
new services at the SDN controller. • Micro-Kernelized Design Hypervisor: It exe- the Cloudlet/MEC is a
Moreover, by using the NSC model in 5G, cutes on micro-kernel design architecture
data offloading can be done to achieve the and is independent of the device drivers; for prototype model for
best QoS for the end users. Data offloading example, the Hyper-V hypervisor. offloading the remote
is needed when there is a shortage of band- The hypervisor models can be broadly classified cloud services to the
width, thereby distributing the load on nearby into two categories, type 1 and type 2. Type 1
networks. One possible solution for offloading operates on the system hardware, whereas type edge of the network to
is switching from the cellular bands to either 2 operates on the host OS to provide virtualiza- serve the nearby mobile
the Wi-Fi network, small cells, or delay-toler- tion services such as: memory management, CPU
ant network (DTN) [2]. In addition to SDN and scheduling, and I/O device support. Table 1 sum- devices (such as smart-
NFV technology along with the NSC model, the marizes the features of all the types of hypervisor phones, tablets, wear-
5G network also works in collaboration with software. able smart devices).
different wireless communication technologies
namely, MIMO, and small cells, to accommo- Fog Computing
date high data rates. Massive MIMO involves To get fast response time with respect to resource
multiple arrays of antennas merged into each depletion, offloading of computation services to
base station in order to transmit high data the nearby cloud resources is required. In this con-
streams simultaneously [2]. 5G technology pro- text, the cloudlet/MEC is a prototype model for
vides the best services to IoT devices by direct offloading the remote cloud services to the edge
vehicle-to-vehicle (V2V) and device-to-device of the network to serve the nearby mobile devic-
(D2D) communications through single-hop and es (e.g., smartphones, tablets, wearable smart
multihop paths. We discuss the virtualization devices). The cloudlet model operates at the LAN
concept in the NSC model below. level via a Wi-Fi or mobile network, and it address-
es issues such as: battery consumption, latency,
Virtualization and cost incurred when executing applications
Virtualization is a technique that allows the on mobile devices. The mobile users are served
abstraction of physical resources by creating by the FC model by offloading the computation
their specimen and represents them as logical services in a single-hop wireless access, thereby
resources. It is put into effect at the computing, providing a fast response time as depicted in Fig.
storage, network, and application levels. A phys- 2. The cloudlet services work in smartphone appli-
ical switch consists of multiple PMs linked by a cations, such as facial and speech recognition,
physical network interface card (pNIC). With the GPS navigation, and healthcare. Chen et al. [10]
help of hypervisor software or the virtual machine presented a trust model to protect data privacy
monitor (VMM), multiple VMs (guests) reside on and content sharing, and proposed an IDS based
the same PM. At the front-end, a virtual switch on secure cloudlet mesh for remote healthcare
(vswitch) is connected to the physical switch, applications.
whereas at the back-end, a vswitch is connect- In [11], Sarkar et al. addressed the issues con-
ed to all the vNICs. To provide VM connectivity, cerned with the integration of cloud computing
each VM is assigned an IP address over the virtual and the FC model with respect to IoT devices.
NIC (vNIC). The virtual Ethernet port aggregator The author focused on the performance of the
(VEPA) [7] allows the switching among the VMs. DCs that depletes high power and returns a mas-
Once a virtualized system is initiated, the hyper- sive amount of carbon dioxide (CO2). The author
visor states are then transferred to the memory. showed that the FC helps to reduce CAPEX and
The underlying hardware (e.g., AMD Processor OPEX up to 50.09 percent compared to cloud
and Intel VMX) assists the transition between the DCs. The FC architecture is a distributed approach
VMs and hypervisor. After a VM exits, the CPU is in which devices have peer-to-peer (P2P) connec-
loaded with the execution context of the hypervi- tivity for data computation and storage. Figure 1
sor, which in turn operates on the data residing in shows the FC model in a 5G network and how it
memory. operates when integrated with the cloud comput-
Kim et al. [8], explored different types of exist- ing scenario.
ing hypervisors, such as Citrix Xenserver, VMware
ESXi, KVM, and Hper-V hypervisor. The authors Architecture of the Fog Computing Layer
proposed a scheme known as VM placement for FC is characterized by benefits such as- interop-
addressing the issues of access latency recom- erability, mobility support, open communication,
mended for each VM running on the non-uniform robust performance, autonomous security, agil-
memory access (NUMA) system. Hypervisors are ity, and relatively low latency of a few millisec-
broadly classified into various categories [7, 8]: onds [11]. With FC, the distributed computing
• Para-Virtualization Hypervisor: It helps to infrastructure where the user services are hosted
modify the guest OS and is used by the by the network edge devices such as gateways,
Citrix XenServer hypervisor. access points, routers, and intelligent switches

IEEE Communications Magazine • November 2017 117

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY KURUKSHETRA. Downloaded on April 25,2022 at 17:59:56 UTC from IEEE Xplore. Restrictions apply.
 Hypervisor Models XenServer VMWare ESXi KVM Hyper-V

Developer Linux VMWare OVA Microsoft

Hypervisor type 1 1 2 1

Physical memory 1 TB 2 TB 2 TB 4 TB

Logical processors 64 160 160 320

Nodes per cluster 16 32 No cluster support 64

Maximum VMs 800-960 3000-4000 — 8000

Monitoring protocol HTTPS SOAP HTTPS WMA

IPV6 support No No Yes No

Host OS Linux, Solaris bare Metal Linux Windows Server

Guest OS Windows, Linux Linux Kernel Windows, Linux Windows, Linux

N/W virtualization No Third party Yes Yes

Cold migration Yes Yes Yes Yes

Risk of vulnerabilities High High Low Medium

Packet sniffing testing tools Wireshark, dsniff Wireshark, NetworkMiner Wireshark, tcpdump Wireshark, mysql-sniffer

Intrusion detection tools Snort, WirelessIDS Snort Snort Snort

Man-in-the-middle attack tools Ettercap, Cain e Abel Ettercap, PacketCreator Dsniff, Cain e Abel Armitage, Ettercap

Table 1. Characteristics of hypervisor software models.

using which the data is transmitted, instead of • In 4G, high latency is incurred in cloud com-
accessing it from the remote DCs. The fog devic- puting, but using FC in association with 5G
es are intelligent network devices making smart network, the end-to-end (E2E) latency is
decisions and store mini DCs to provide computa- reduced by almost 10 times.
tion and routing functions. • In 5G, the battery power life is increased by
Figure 1 shows the fog layer, consisting of fog 10 times in D2D communication.
instance (FI) and fog nodes (FNs). It is the fog • The bandwidth is higher (around 60 GHz) in
boundary in which only the relevant information 5G compared to 4G with low bandwidth (10
is mined and stored temporarily. With the help MHz).
of a communication link, packets are transferred Table 2 shows the comparative analysis of the
from the cloud end gateways to fog gateways and cloud computing and FC model along with the
vice versa. FNs enforce local processing, compu- existing proposals. The integration of cloud com-
tation, and storage, and perform analytics on the puting and IoT devices is called the CloudIoT
data. FC architecture is subdivided into two differ- model, and security remains a significant chal-
ent components, lenge in this model.
• Fog abstraction nodes are closer to the cloud
gateway for providing analytics, visualization, Security Model at the Cloudlet Mesh
and privacy. In 5G networks, an E2E security framework
• The fog orchestration layer consists of a is necessary in the business model. Although
“foglet,” which is closest to IoT devices to the response time in 5G wireless networks is
take input requests from end users. This layer increased by locating the cloud nearby the mobile
takes care of the fault tolerance, resource devices, the cloudlet mesh architecture is vulner-
management, and security with respect to the able to attacks. In [12], Modi et al. discussed var-
service deployment model at the edge [11]. ious possible attacks at various layers for cloud
computing. An adversary can flood a single server
Fog Computing Based on 5G Wireless Network with multiple requests (i.e., DDoS attack), mak-
According to [9], FC-RAN is the most popular ing it unable to handle valid requests, as shown
paradigm in 5G wireless networks for channel in Fig. 3. Here, the two attackers issue multiple
assignments, energy, and spectrum efficiency. The service requests simultaneously via a wireless net-
advantages of a 5G network over edge devices work in a single hop. The attackers disrupt the
are described as follows: cloudlet services in order to compromise the QoS
• 5G supports IoT devices 100 times faster available to the mobile devices. The remote cloud
compared to a 4G/LTE network. DCs and SDN controller are connected to each
• In 5G, the user data rate is approximately other via the Internet. The SDN controller is used
around 10–32 Gb/s compared to 4G having for monitoring and controlling the global network
100–150 Mb/s, reaching a peak terminal traffic. Data flows through the OpenFlow switches
data rate increase of almost 30 times. to the edge gateways, which forward the data to

118 IEEE Communications Magazine • November 2017

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY KURUKSHETRA. Downloaded on April 25,2022 at 17:59:56 UTC from IEEE Xplore. Restrictions apply.
 the cloudlet. Cloudlets are interconnected with (a) Comparative analysis of cloud and edge computing
each other in a P2P mode through the OF-switch-
es and make up the cloudlet mesh architecture. Requirements Cloud Computing Fog Computing
The cloudlet is located in distinct geographical
locations (say X, Y, and Z). Cloudlet mesh loca- Latency High Low
tions Y and Z are unsecured because in the com-
munication session, an attacker has launched a Delay jitter High Very low
DDoS attack.
Distance between client and server Multiple hops Single hop
To defend the cloudlet mesh, various security
protocols are used, such as- multi-party authen- Location awareness No Yes
tication protocol (MAP), inter-cloudlet protocol
(ICP), trusted cloud transfer protocol (TCTP), and Location of servers Within Internet Edge nodes
secure socket layer (SSL) [13]. The MAP supports
mobility management, content filtering and multi- Type of connectivity Leased line Wireless
way authentication between the cloudlet and the
mobile device. The ICP supports IDS and load bal- Geographical distribution Centralized Distributed
ancing operations within the cloudlet mesh. The
Response time Minutes Milliseconds, sub-seconds
TCTP performs the encryption of the file before
data gets uploaded to the public cloud. Moreover, Number of server nodes Few Very large
the authentication of services at the cloudlet mesh
is necessary in order to verify the authenticity of Security More secure Less secure
the genuine mobile user served by the cloudlet.
The solution for providing the authentication of ser- N/W bandwidth High Less
vices at the cloudlet server is the Kerberos mecha-
nism, which is discussed below. Risks of man-in-the-middle attack Less High

Kerberos Authentication Server Interference mitigation No Yes

Kerberos is a secure reliable authentication server Service type Global information Localized information services
[3] for providing authentication service quickly at
the cloudlet mesh for every incoming request from Target user Internet users Mobile users
mobile devices. For mutual authentication between
the mobile device and the cloudlet server (CS), the (b) Comparative analysis of existing proposals
mobile device performs authentication first by the
Kerberos servers, such as the authentication server Peng Aujla Kim Chen Sarkar
Proposals
(AS) and service granting server (SG). It uses SSL/ et al. [9] et al. [2] et al. [8] et al. [10] et al. [11]
TLS protocol for secure communication between
Stackelberg VM Number Mathematical
the communication parties. Figure 3 shows the Technique S-FRR
Game Placement Theory Model
communications between the Kerberos server and
the mobile device user ‘k’. Latency Yes Yes Yes Yes Yes
The steps involved in the communication ses-
sion are as follows: Energy Yes Yes No No Yes
• The mobile device (MDk) first initializes the
login session and sends the request to the Spectrum Yes Yes No No No
AS. The (MDk) sends his/her attributes such
as (IDMDk, OTPMDk, IPMDk, IDSG, tstamp1) all Data offloading No Yes Yes No No
appended in (PMDk). These attributes are the
Security No No No Yes No
identity, one-time password (OTP), network
IP address, identity of the SG, and timestamp Table 2. Comparative analysis.
to synchronize his/her clock with the AS.
• The AS verifies the (MD k) information in
the database. If the information matches • Finally, the (MD k) sends his/her attributes
successfully, the AS computes (ticketSG) as along with the ticket (ticketCS) to the CS.
a ticket for the SG. The ticket contains the • The CS checks the ticket (ticketCS) with the
(ID MDk) along with the timestamp and the authenticator, and if the ticket matches, the
ticket lifetime (lt1), which are all encrypted mobile device is granted access to the CS
with the key (K SG) which is known only to services.
the AS and SG. Hence, instead of implementing as a central-
• After receiving the ticket from the AS, (MDk) ized Kerberos for linking all the cloudlet web
sends the (ticketSG) along with (tstamp3) and servers, a distributed Kerberos architecture is
(ID CS) as an identity of the cloudlet server designed for providing mutual authentication at
(CS) to the SG. The third timestamp is used every cloudlet web server location. The DDoS
to inform the SG of the time at which the is the most common attack that occurs at the
authentication was performed by the AS. cloudlet web servers. The attacker floods the
• The SG authenticates the ticket, and if the web server with multiple requests like http or
authentication is successful, it then creates https over TLS to deplete server resources. The
(ticketCS) as a ticket for the CS. The ticket high risks of various network layer DDoS attack
contains the (MDk) attributes along with the types such as: volume-based attacks (UDP flood-
(tstamp4), (lt2), (IDCS) all encrypted with the ing, ICMP flooding) and protocol attacks (SYN
(K CS) key to prevent tampering; the key is flooding, ping of death) may be launched by an
known only to the SG and CS. attacker. Flooding consumes both incoming and

IEEE Communications Magazine • November 2017 119

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY KURUKSHETRA. Downloaded on April 25,2022 at 17:59:56 UTC from IEEE Xplore. Restrictions apply.
 5G technology works in
Remote cloud Remote cloud
both of the computing DC 1 Internet DC 2
models by integrating
SDN controller
advanced technologies
such as SDN and NFV.
SDH
Moreover, the NSC
model is integrated into
Cloudlet mesh DDoS attack
the SDN architecture for
Token (OTP) Blacklisted
fast chaining of the net- Mutual IPs
authentication Cloudlet 2
work virtualized services (location γ) ICMP/UDP/SYN
Token
in order to deliver high codes
flooding

QoS performance to the Single

hop Attacker
IoT devices. Cloudlet 1 (location X) Attacker Cloudlet 3 (location Z)

Data Web Cellular Wired Physical

centers Kerberos OF-switch server network link link
(DCs)
Cloudlet SDN Wi-Fi Wireless Virtual
Smartphone Laptop
controller network link link
SDN

Mobile device ‘k’ (MDk) Kerberos server (AS, SG, CS)

Session initialize phase

Choose MDk attributes:
(IDMDk, OTPMDk, IPMDk, IDSG, tstamp1). Authentication server (AS phase)
and PMDk = (IDMDk||OTPMDk||IPMDk||IDSG||tstamp1).
Select PMDk. Store and match (PMDk) in the database (DB) of AS.
AS compute ticket:
(PMDk) ticketSG = E(KSG, [IDMDk||IDSG||tstamp2||lt1])
QMDk = (ticketSG)
(Secure channel)
(QMDk)
Stores the encrypted ticket QMDk Secret key (secure channel)
Send the ticket along with MDk attributes.
RMDk = (IDCS||ticketSG||tstamp3).
Choose RMDk.
Service granting (SG phase)
(RMDk) Store RMDk in the database (DB) of SG.
(Secure channel) SG compute ticket:
ticketCS = E(KCS, [IDMDk||IDCS||tstamp4|t2)
SMDk = (ticketCS)
Store SMDk and MDk will send the ticket to the CS.
Finally, calculate TMDk = (IDMDk||ticketCS) (SMDk)
(TMDk) Secret key (secure channel)
(Secure channel) Cloudlet server (CS) phase

Store TMDk and match in its database.

If match then grant access to the cloudlet server (CS) to the MDk.

Figure 3. Mobile devices authentication at cloudlet mesh using Kerberos as a countermeasure for DDoS
attack.

outgoing bandwidth. To protect from unautho- authentication service. First, double encryption
rized and malicious traffic, a Kerberos server is is not required after the ticket for the targeted
placed as an external entity that uses hardware server gets encrypted. Hence, single encryption
tokens authentication. It generates token codes is sufficient for performing fast processing. Sec-
or one-time passwords (OTPs) over a fixed time ond, symmetric key encryption is performed for
interval with a timestamp. Figure 3 shows how fast execution times. Keeping these constraints in
Kerberos authenticates the client’s credentials mind, we investigate the performance analysis of
based on the token codes. In the case of flood- the Kerberos-based system.
ing using IP spoofing, Kerberos filters out those
IP address and considers them as blacklisted IP Performance Analysis
addresses that belong to spam resources. These We compute the running time of various oper-
blacklisted IP addresses remain blocked to pre- ations during the communication among the
vent sending requests and consuming network various parties. The list of various operations per-
bandwidth. formed are listed below:
Therefore, the Kerberos authenticate mecha- • Th: Execution time of a general hash opera-
nism helps in mitigating the DDoS attacks against tion
cloudlet web servers, but still Kerberos has some • Tap: Execution time of an append operation
limitations. In Kerberos version 5, two techni- • TBF: Execution time of the blowfish algorithm
cal deficiencies are noted in performing the fast • TDES: Execution time of the DES algorithm

120 IEEE Communications Magazine • November 2017

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY KURUKSHETRA. Downloaded on April 25,2022 at 17:59:56 UTC from IEEE Xplore. Restrictions apply.
 6 8
NSC-SDN SDN Without SDN NSC-SDN SDN Without SDN

5
6
4

Delay (ms)
Delay (ms)

3 4

2
2
1

0
0 500 1000 1500 2000 2500 3000
100 200 300 400 500 600
User density Distance of user from destination (m)
(a) (b)

Figure 4. Results obtained with/without SDN and NSC-SDN approaches: a) delay vs. user density; b) delay vs. distance between user
and destination.

Three main operations are used in the pro- ed to remote cloud DCs. At the cloudlet mesh,
posed Kerberos-based system. First, the double the high risk of DDoS attacks is a major challenge.
hashing operation is used by the AS for match- Hence, Kerberos is designed for authentication
ing the client information in the database; hence, of services to protect secure communication with
the two hash operations are used, and each Th authorized mobile devices only.
takes 0.007 ms [14] standard running time at the In the future, we will explore how the SDN can
server. Second, the append operation is used to be used in the 5G environment for accessing vari-
merge the attributes. In the proposal, 13 append ous resources. We will also explore more security
operations are executed, and each Tap takes 0.30 features of SDN-based cloud infrastructures.
ms running time to execute on Python. Third,
the symmetric key encryption is performed by Acknowledgments
using the blowfish or DES algorithm. The blow- We are thankful to all the anonymous reviewers
fish 448-bit key size algorithm incurs an execu- for their valuable suggestions, which improved
tion time of 3976 ms, and the DES 56-bit key size the overall quality and presentation of the article.
algorithm takes 5998 ms for processing 256 MB The work presented in this article is supported by
of data [15]. The ticket for the targeted server the Council of Scientific and Industrial Research,
is generated twice by using a symmetric encryp- New Delhi (no. 22/717/16/EMR-II).
tion algorithm. Therefore, the computation cost of
Kerberos using the blowfish algorithm is (2  Th + References
[1] J. Frahim et al., “Securing the Internet of Things: A Proposed
13  Tap + 2  TBF) ≈ 3979.914 ms or 3.979 s. In Framework,” Cisco White Paper, 2015.
the case of the DES algorithm, the computation [2] G. S. Aujla et al, “Data Offloading in 5G-Enabled Soft-
cost is (2  Th + 13  {Tap + 2  TDES) ≈ 6001.91 ware-Defined Vehicular Networks: A Stackelberg Game-
ms or 6.0 s. The computation cost shows that the Based Approach,” IEEE Commun. Mag., vol. 55, no. 7, July
2017.
blowfish algorithm is better for fast authentication. [3] W. Stallings, Cryptography and Network Security: Principles
Finally, the performance of the proposed NSC and Practices, Pearson Education India, 2006.
model with SDN is evaluated using lightweight [4] M. Peng et al, “Energy-Efficient Resource Assignment and
simulations. The results obtained are shown in Power Allocation in Heterogeneous Cloud Radio Access
Networks,” IEEE Trans. Vehic. Tech., vol. 64, no. 11, Nov.
Fig. 4. We note that the proposed model incurs 2015, pp. 5275–87.
lower delay compared to SDN or without SDN [5] D. Gonzales et al, “Cloud-trust — A Security Assessment
with respect to user density and the distance of Model for Infrastructure as a Service (Iaas) Clouds,” IEEE
the user from the destination. Trans. Cloud Computing, vol. PP, no. 99, 2015, pp. 1–1.
[6] W. John et al, “Research Directions in Network Service
Conclusion Chaining,” 2013 IEEE SDN for Future Networks and Services,
Nov. 2013, pp. 1–7.
In this article, we have presented a relative com- [7] S. Varrette et al, “HPC Performance and Energy-Efficiency of
parison and analysis of fog and cloud computing xen, kvm and Vmware Hypervisors,” 2013 25th Int’l. Symp.
Computer Architecture and High Performance Computing,
with respect to network service chaining in the 5G Oct. 2013, pp. 89–96.
environment. We have discussed the major issues [8] C. Kim and K. H. Park, “Credit-Based Runtime Placement of
of latency, cost, security, and data offloading at Virtual Machines on a Single Numa System for QoS of Data
the core DCs or located at the edge in the virtu- Access Performance,” IEEE Trans. Computers, vol. 64, no. 6,
June 2015, pp. 1633–46.
alized environment. 5G technology works in both [9] M. Peng et al, “Fog-Computing Based Radio Access Net-
of the computing models by integrating advanced works: Issues and Challenges,” IEEE Network, vol. 30, no. 4,
technologies such as SDN and NFV. Moreover, July 2016, pp. 46–53.
the NSC model is integrated into the SDN archi- [10] M. Chen et al, “Privacy Protection and Intrusion Avoidance
for Cloudletbased Medical Data Sharing,” IEEE Trans. Cloud
tecture for fast chaining of the network virtualized Computing, vol. PP, no. 99, 2016, pp. 1–1.
services in order to deliver high QoS performance [11] S. Sarkar, S. Chatterjee, and S. Misra, “Assessment of the
to the IoT devices. We have also presented differ- Suitability of Fog Computing in the Context of Internet of
ent types of hypervisors and their properties with Things,” IEEE Trans. Cloud Computing, vol. PP, no. 99, 201,
pp. 1–15.
respect to storage, operating system, and number [12] C. Modi et al, “A Survey on Security Issues and Solutions at
of nodes. Finally, we have focused on the security Different Layers of Cloud Computing,” J. Supercomputing,
attack at the cloudlet mesh architecture connect- vol. 63, no. 2, 2013, pp. 561–92.

IEEE Communications Magazine • November 2017 121

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY KURUKSHETRA. Downloaded on April 25,2022 at 17:59:56 UTC from IEEE Xplore. Restrictions apply.
 [13] Y. Shi, S. Abhilash, and K. Hwang, “Cloudlet Mesh for software-defined networking, network functions virtualization,
Securing Mobile Clouds from Intrusions and Network IIoTs, cloud computing, fog computing, and security.
Attacks,” 2015 3rd IEEE Int’l. Conf. Mobile Cloud Computing,
Services, and Engineering, Mar. 2015, pp. 109–18. N eeraj K umar [M’16, SM’17] ([email protected]) is
[14] D. He et al, “Efficient and Anonymous Mobile User working as an associate professor in the Department of CSED,
Authentication Protocol Using Self-Certified Public Key Thapar University. He received his Ph.D. from SMVD Univer-
Cryptography for Multi-Server Architectures,” IEEE Trans. sity, Katra (J&K) in computer science and engineering. He was
Info. Forensics and Security, vol. 11, no. 9, Sept. 2016, pp. a postdoctoral research fellow at Coventry University, United
2052–64. Kingdom. He has more than 150 research papers in leading
[15] O. P. Verma et al, “Notice of Violation of IEEE Publication journals and conferences. His research is supported by UGC,
Principles Peformance Analysis of Data Encryption Algo- DST, CSIR, and TCS. He is an Associate Editor of IJCS, Wiley and
rithms,” 2011 3rd Int’l. Conf. Electronics Computer Technolo- JNCA, Elsevier.
gy, vol. 5, Apr. 2011, pp. 399–403.
Sherali Zeadally [SM’08] ([email protected]) is an associate
professor in the College of Communication and Information at
Biographies the University of Kentucky. He received his doctoral degree in
Rajat Chaudhary [S’17] ([email protected]) is pursuing a computer science from the University of Buckingham, England.
Ph.D. from Thapar University, Patiala, Punjab, India. He received His research interests include cybersecurity, privacy, the Internet
his B.Tech degree in computer science and engineering from of Things, and energy-efficient networking. He is a Fellow of
UPTU, Lucknow, India, in 2010, and his M.Tech degree from the British Computer Society and the Institution of Engineering
UTU, Dehradun, India, in 2012. His research interests focus on Technology, England.

122 IEEE Communications Magazine • November 2017

Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY KURUKSHETRA. Downloaded on April 25,2022 at 17:59:56 UTC from IEEE Xplore. Restrictions apply.